In this chapter I'll discuss how to configure IPsec LAN-to-LAN (L2L) sessions on the PIX and ASA security appliances. The first part of the chapter focuses on the components you'll need to configure the management connection, much of which applies to remote access sessions, and the second part will focus on configuring the components of the data connections. At the end of the chapter I'll illustrate an example of an L2L session between PIXs/ASAs.
In April 2005, Cisco introduced a new version of the Finesse Operating System (FOS) for the PIX security appliances, called 7.0. Currently this is supported only on the 515/515E PIXs and higher. Likewise, in May 2005, Cisco introduced the new Adapter Security Appliance (ASA) devices, which support PIX, VPN concentrator, router, and IDS features all in one box. Fortunately, much of the code and commands found in the 7.0 PIX security appliances are the same as those found in the ASA devices. However, the 501 and 506/506E PIXs only support the FOS 6.3 software. Because the 7.0 software is new, and the 6.x software is still in wide use, I'll point out differences in the configurations of both operating systems throughout the chapter where appropriate.
In version 7.0, the PIX/ASA supports VPN only in single mode, commonly called routed mode. VPNs are not supported when your PIX/ASA is configured for multiple security contexts (multi-mode) or in an Active/Active stateful failover configuration. In FOS 6.3 and earlier, the stateful failover feature of the PIXs did not provide stateful failover for VPN sessions; in FOS 7.0, this enhancement has been added. The configuration of failover and stateful failover on the PIX/ASA, however, is beyond the scope of this book. Topics such as tunnel groups, which were added in FOS 7.0, I'll address in Chapter 22, "PIX and ASA Remote Access Connections," where it is more appropriate.